Hmm
"We became aware on 30 March 2020 that malicious software (malware) had been uploaded on to our ecommerce website by an external third party, which was immediately blocked by our IT Security team"
malware... uploaded... immediately blocked. Sounds good, until you read more carefully.